Wow I sent that message yesterday. There must be a delay for first time posters....

We need a way to specify the default behavior for a document (eg "origin"), then for certain links we need a way to specify a more relaxed policy (eg "unsafe-url"). We have cases where we want to share referer query parameters between domains (https://search.yahoo.com to https://www.flickr.com for example) but generally we want everyone else to get the origin (even when downgrading to http). The logic defining when to do this is complex and shouldn't be added into the spec (please no "use-yahoo-logic" policy directive). If we have a way to loosen the per document policy for individual "a" elements (and form submits now that I think about it) we should be good. For single page apps we need to be able to insert "a" elements client-side so it might be worthwhile to add something explicit into the spec which allows that.

I am also thinking about img and iframe as well but I can't find a use case for that yet.

Thinking out loud: I wonder about window.location transitions too. Hmmm.

Scott

Sent from Yahoo Mail for iPhone

At Feb 13, 2015, 5:06:39 AM, Mike West<'mkwst@google.com'> wrote:
On Thu, Feb 12, 2015 at 4:05 PM, Scott Beardsley <sbeards@yahoo-inc.com> wrote:
Thanks Francois, you beat me to putting this together. We would like to see this use case satisfied at Yahoo too.

Hi Scott, can you describe Yahoo's use case, just so we can verify that Francois' proposal does what you need it to do?

-mike

--
Mike West <mkwst@google.com>, @mikewest

Google Germany GmbH, Dienerstrasse 12, 80331 München, Germany, Registergericht und -nummer: Hamburg, HRB 86891, Sitz der Gesellschaft: Hamburg, Geschäftsführer: Graham Law, Christine Elizabeth Flores
(Sorry; I'm legally required to add this exciting detail to emails. Bleh.)